Security and Smart Contract Audits

Summary

At Reservoir we take smart contract security very seriously to ensure the protection of our developers and their users. Below is a breakdown of the smart contracts used within the Reservoir ecosystem and their security/audit status.

Listing

Reservoir aggregates different NFT exchange protocols, allowing you to access them all through a single, simplified interface. All supported protocols have undergone extensive audits:

When you list an NFT through a Reservoir-powered marketplace, the listing happens through one of the above protocols. By default, Seaport is used, but each team who deploys a marketplace chooses which to use.

To list, you must approve the exchange contract to transfer your tokens. This is exactly the same as if you listed directly on another marketplace. In fact, if you have already approved a particular exchange contract through OpenSea, Coinbase or LooksRare, you don’t need to do it again on a Reservoir-powered marketplace. You’re approving the underlying exchange, not Reservoir.

Purchasing

Single item sales are executed via the order's native exchange contract. Multi-item sales are executed through Reservoir’s Router contract, enabling users to purchase items from different marketplaces in one transaction.

Reservoir's Router contract has had the following audits:

  • V3 internally audited by multiple teams, including Art Blocks and Coinbase
  • V4 & V5 are minor edits to V3, based on audit feedback
  • V6 audited by Consensys Dilligence (report)

Note: V5 is currently live on Mainnet and being used by our hosted APIs.

This contract does not hold any user funds or have permission to spend user funds. All actions must be directly approved by the user, on a per transaction basis. This gives it a very different security profile to the exchange contracts above, or DeFi protocols.

Deployed Contracts

Source Code


Did this page help you?